From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 7B8AC1FF176
	for <inbox@lore.proxmox.com>; Fri, 24 Jan 2025 10:18:01 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id D5F241B390;
	Fri, 24 Jan 2025 10:17:56 +0100 (CET)
Date: Fri, 24 Jan 2025 10:17:19 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20241216041428.1184350-1-thomas@atskinner.net>
 <20241216041428.1184350-5-thomas@atskinner.net>
In-Reply-To: <20241216041428.1184350-5-thomas@atskinner.net>
MIME-Version: 1.0
User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid)
Message-Id: <1737709944.2rc2l2rfel.astroid@yuna.none>
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.051 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
Subject: Re: [pve-devel] [PATCH perl-rs v2 4/5] fix #4234: openid: adjust
 openid verification function for userinfo option
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Cc: Thomas Skinner <thomas@atskinner.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

On December 16, 2024 5:14 am, Thomas Skinner wrote:
> Signed-off-by: Thomas Skinner <thomas@atskinner.net>
> ---
>  pve-rs/src/openid/mod.rs | 9 +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/pve-rs/src/openid/mod.rs b/pve-rs/src/openid/mod.rs
> index 1fa7572..cd573ee 100644
> --- a/pve-rs/src/openid/mod.rs
> +++ b/pve-rs/src/openid/mod.rs
> @@ -50,13 +50,18 @@ mod export {
>      }
>  
>      #[export(raw_return)]
> -    pub fn verify_authorization_code(
> +    pub fn verify_authorization_code_userinfo(

we could either add a new wrapper like in proxmox-openid, keeping the
old one around (until PVE 9.0)

>          #[try_from_ref] this: &OpenId,
>          code: &str,
>          private_auth_state: PrivateAuthState,
> +        disable_userinfo: bool,

or make this an Option<bool> and not rename the fn so existing callers
are not broken

>      ) -> Result<Value, Error> {
>          let open_id = this.inner.lock().unwrap();
> -        let claims = open_id.verify_authorization_code_simple(code, &private_auth_state)?;
> +        let claims = open_id.verify_authorization_code_simple_userinfo(

if we go the Option route, we could either select which proxmox-openid
fn to call here, or unwrap the Option to false and just call the new
one.

the reason I'd prefer a backwards-compat implementation here is that
without it, we need to have the following relations:

pve-access-control: depends on new libpve-rs-perl
libpve-rs-perl: breaks old pve-access-control
libpve-rs-perl: dpends on new librust-proxmox-openid-dev

whereas with a backwards-compat implementation in libpve-rs-perl we just
need:
pve-access-control depends on new libpve-rs-perl
libpve-rs-perl: depends on new librust-proxmox-openid-dev

which is much less entangled as all the version constraints go in the
same direction.

> +            code,
> +            &private_auth_state,
> +            disable_userinfo,
> +        )?;
>  
>          Ok(to_value(&claims)?)
>      }
> -- 
> 2.39.5
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel